What is Network Detection and Response?

Defining Network Detection and Response

Gartner defines Network Detection and Response (NDR) as the following: Network Detection and Response uses a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities on enterprise networks.

NDR tools continuously analyze raw traffic and/or flow records (for example, NetFlow) to build models that reflect normal network behavior. When the NDR tools detect abnormal traffic patterns, they raise alerts. In addition to monitoring north/south traffic that crosses the enterprise perimeter, NDR solutions can also monitor east/west communications by analyzing network traffic or flow records that it receives from strategically placed network sensors.

Why is Network Detection and Response Important?

Advanced attacks are designed to evade traditional preventative and detection techniques. Network Detection and Response solutions provide a sound method for identifying threats traversing through the network as well as through cloud traffic. One key attribute of Network Detection and Response solutions is the coverage across all ports and protocols to ensure full visibility.

There are a multitude of detection techniques that Network Detection and Response solutions leverage, including supervised and unsupervised machine-learning techniques, deep packet and deep session inspection, malware detection, sandboxing, asset inventory, and more.

Beyond detection, organizations also use NDR solutions to help investigate and mitigate an incident. To this end, Network Detection and Response tools that are integrated with endpoint detection and response solutions can offer substantial improvements in speeding alert investigation and resolution. A good example of this is automatically validating that a detected threat via network traffic has in fact compromised an endpoint or multiple endpoints in the environment, and then having the ability to automatically take an action, such as isolating that impacted endpoints from the network.

Network Detection and Response solutions can also collect and store rich metadata that can be easily searched for deeper investigation and hunting efforts. The value of the metadata is that it is easy to query, facilitates faster investigations and is much more cost-effective than storing full PCAPs.

Examples of metadata that can be collected are the:

WHO
domain user, webmail user, FTP user, email address, device ID, organization name

WHAT
filenames, SHA256, MD5, content tags, malware name, malware type

WHEN
from present day/time to as far back as you want to store data

WHERE
source, destination, country, IP address, organization, url, domain

HOW
protocols, applications, file type, user agent, custom protocols, obfuscated files and scripts

What are the Key Aspects of a NDR Solution?

A robust Network Detection and Response solution should:

  • Provide visibility across all ports and all protocols
  • Bi-directionally scan all network traffic to reveal network and application protocols, files, and content via sensors that can be placed at the gateway, internally, in the cloud, and at both the email and web gateways
  • Conduct real-time analysis of raw network packet traffic or traffic flows
  • Monitor and analyze north/south traffic and as east/west traffic
  • Differentiate between normal and anomalous network and cloud traffic
  • Leverage machine learning and analytics to detect network traffic anomalies
  • Provide rich metadata that enables retrospective detection and analysis going back many months
  • Profile TLS encrypted traffic based on metadata and certificates, determining human browsing versus machine traffic, and leveraging data science models to detect hidden threats
  • Consolidate “Like” alerts and the related context and evidence to speed alert triage
  • Help automate relevant response actions based on what has been detected

Eliminate Blind Spots with Network Detection and Response

Learn about Fidelis Network